Automating adding trusted passwords or certificates into your users keychains? Well this new prompt (as of macOS 10.12) can confuse users and subconsciously train them to hit "Always Allow" every chance they get. Not ideal, so let's discuss how to reduce these.

macOS introduced a new security mechanism in the keychain: partition lists. You see these mentioned in the security man page in macOS 10.12.5:

set-generic-password-partition-list Set the partition list of a generic password item.

set-internet-password-partition-list Set the partition list of a internet password item.

set-key-partition-list Set the partition list of a key.

Partition lists are essentially access control lists. If an application (or suite of applications) is not in the partition list, you will receive the above prompt when the application accesses the keychain item.

Isn't this already covered when using the -T flag? I'm afraid not my friend, although the -T flag is still needed in most cases.

The meat of the command is in the -S flag where you state the list of applications accessing the keychain entry. In this case teamid:UBF8T346G9 refers to ALL Microsoft Office 2016 applications. I'll show you where to get these in a bit.

If you need a keychain entry to be accessible by multiple applications, say NTLM credentials to a HTTPS site in Safari and JAMF Self Service. The list is simply comma separated. Apple software (Safari in this case) can be referenced using apple: and apple-tool: so it would look like:

-S apple-tool:,apple:,teamid:483DWKW443

(teamid:483DWKW443 referencing the JAMF Self Service application)

So...how do I go about finding these application references?

security dump-keychain -a

be wary, the output is very verbose. In most of my testing I've been piping it to less

security dump-keychain -a | less

keep in mind that it takes at least a couple minutes for the full output to load into less.

You want to take note of the access entry 3. Description sub item will state all the partition IDs allowed to access the keychain entry.

The time consuming task here is to dump the keychain access list (-a) before and after hitting "Always Allow" to the GUI prompt above and noting the difference. To get you started I have a couple partition IDs already gathered here.

As you'll see in the security man page, besides the -S flag, the -k flag is also required and must state the user password. Next you must choose one or more methods on how you're going to find or "match" the keychain entry.

Choose your own adventure here, but it's probably easiest to match generic password entries based on the service name (-s), and certificate keys based on the key name (-l).

To Note: in 10.12.5 there is a bug when matching on the service (-s) flag when using the set-internet-password-partition list. The flags is essentially ignored and the command will currently change partition-lists for ALL http/https entries. Depending on your security requirements you could add http/https partition ids to all http/https entries, but note you may not want to modify internet password partition lists at this time. I do have a bug report submitted to Apple enterprise support, but please do submit additional reports if this is important to you.

Happy Hunting, and I hope this both improves user experience and security by training your users to not get into the habit of hitting "Always Allow" to every prompt they see!

Requiring certificate auth to your ASA for VPN? Then this prompt in AnyConnect probably looks familiar and results in too many calls to the help desk.

Unless AnyConnect is aware of which certificate it needs, it's going to go gangbusters through your system keychain looking for it while prompting for local administrative rights at every useable certificate.

There are 2 ways to handle this:

1) Preferred - Push out an AnyConnect profile from the ASA including certificate match. AnyConnect documentation here, but the idea is that you AnyConnect will look for a unique attribute in your VPN certificate.

You can match on any of the following criteria:

CN—Subject Common Name

C—Subject Country

DC—Domain Component

DNQ—Subject Dn Qualifier

EA—Subject Email Address

GENQ—Subject Gen Qualifier

GN—Subject Given Name

I—Subject Initials

L—Subject City

N—Subject Unstruct Name

O—Subject Company

OU—Subject Department

SN—Subject Sur Name

SP—Subject State

ST—Subject State

T—Subject Title

ISSUER-CN—Issuer Common Name

ISSUER-DC—Issuer Component

ISSUER-SN—Issuer Sur Name

ISSUER-GN—Issuer Given Name

ISSUER-N—Issuer Unstruct Name

ISSUER-I—Issuer Initials

ISSUER-GENQ—Issuer Gen Qualifier

ISSUER-DNQ—Issuer Dn Qualifier

ISSUER-C—Issuer Country

ISSUER-L—Issuer City

ISSUER-SP—Issuer State

ISSUER-ST—Issuer State

ISSUER-O—Issuer Company

ISSUER-OU—Issuer Department

ISSUER-T—Issuer Title

ISSUER-EA—Issuer Email Address

2) Stage an ~/.anyconnect file. You might want to stage this anyway to autofill the server address, but here you can inform AnyConnect of the correct certificate to use. I'm assuming that the vpn certificate is installed in the user keychain.

Import your certificate allowing trust settings for the AnyConnect application. In addition you may want to modify the partition IDs to hide the "Allow/Deny" prompt in macOS Sierra (I'll expand on this in another blog post).